---[ Phrack Magazine Volume 8, Issue 53 July 8, 1998, article 01 of 15 -------------------------[ P H R A C K 5 3 I N D E X --------[ Rumble in the Mumble More than 6 months have passed since our last offering. My most humble, sincere and heartfelt apologies. At long last, here we are. Better late then never, that's what I always say. Unless of course, the late version sucks, then I just like to disavow it entirely. Well, here we go again. Another Phrack issue to glorify behavior which would otherwise be classified as sociopathic or frankly psychotic (according to Mich Kabay). More of what you want, more of what you need. Technical articles on fanatically enticing topics, lines and lines of glorious source, another gut-busting installment of Loopback, and of course, the News. Mammas, don't let your babies grow up to be hackers. Or hookers for that matter. Alright. Let's get down to business. Let's talk remote attack paradigms. Remote attack paradigms can fall into one of two types, based off of the standard client/server communication paradigm (we are glossing over any extensions to the model like client to client or server to server stuff). The two attack types are client to server (server-centric) and server to client (client-centric). Server-centric attacks are well known, understand and documented. Client-centric attacks are an area that is often overlooked, but is definitely fertile ground for exploitation. Below we look at both. ----[ Server-Centricity Historically, the vast majority of remote attacks have been server-centric. Server-centric, in this scope, refers to attacks that target server (or daemon) programs. A common (and frequently reoccurring) example is sendmail. The attack targets a server (the sendmail daemon) and approximates a client (the exploit program). There are several reasons why this has been the trend: - Server programs typically run with elevated privileges. Server programs usually require certain system resources or access to special files that necessitate privilege elevation (of course we know this doesn't have to be the case; have a look at POSIX 6). A successful compromise could very well mean access to the target system at that (higher) privilege level. - Discretion is the attacker's whim. The client/server message paradigm specifies that a server provides a service that a client may request. Servers exist to process clientele requests. As per this model, the attacker (client) makes a request (attack) to any server offering the service and may do so at any point. - Client codebase is usually simple. Dumb client, smart server. The impact of this is two-fold. The fact that server code tends to be more complex means that it is tougher to audit from a security stand-point. The fact that client code is typically smaller and less complex means that exploitation code development time is reduced. - Code reuse in exploitation programs. Client-based exploitation code bases are often quite similar. Code such as packet generators and buffer overflow eggs are often reused. This further cuts down on development time and also reduces required sophistication on the part of the exploit writer. All of these make server-centric attacks enticing. The ability to selectively choose a program to attack running with elevated privileges and quickly write up exploit code for it is a powerful combination. It is easy to see why this paradigm has perpetuated itself so successfully. However, up until recently it seems another potentially lucrative area of exploitation has gone all but overlooked. ----[ Client-Centricity An often neglected area of exploitation is the exact reverse of the above: client-centricity. Client-centric attacks target client programs (duh). The types of programs in this category include: web browsers (which have seen more then their share of vulnerabilities) remote access programs, DNS resolvers and IRC clients (to name a few). The benefits of this attack model are as follows: - Automated (non-discretionary) attacks. We know that, under the previous paradigm, the attacker has complete autonomy over who s/he attacks. The benefit there is obvious. However, non-discretionary attacking implies that the attacker doesn't even have to be around when the attack takes place. The attacker can set up the server containing the exploit and actually go do something useful (tm). - Wide dispersement. With client-centric attacks you can gain a wider audience. If a server contains a popular service, people from all over will seek it out. Popular websites are constantly bombarded with clientele. Another consideration: server programs often run in filtered environments. It may not be possible for an attacker to connect to a server. This is rarely the case in client-centric attacks. - Client codebase not developed with security in mind. If you think server code is bad, you should see some client code. Memory leaks and stack overruns are all too common. - Largely an untapped resource. There are so many wonderful holes waiting to be discovered. Judging at how successful people have been in finding and exploiting holes in server code, it goes to figure that the same success can be had in client code. In fact, if you take into account the fact that the codebase is largely unaudited from a security perspective, the yields should be high. For all the above reasons, people wanting to find security holes should be definitely be looking at client programs. Now go break telnet. Enjoy the magazine. It is by and for the hacking community. Period. -- Editor in Chief ----------------[ route -- Phrack World News --------------[ disorder -- Phrack Publicity ---------------[ dangergirl -- Phrack Librarian ---------------[ loadammo -- Soother of Typographical Chaos -[ snocrash -- Hi! I'm an idiot! -------------[ Carolyn P. Meinel -- The Justice-less Files ---------[ Kevin D. Mitnick (www.kevinmitnick.com) -------- Elite --------------------> Solar Designer -- More money than God ------------[ The former SNI -- Tom P. and Tim N. -------------[ Cool as ice, hot as lava. -- Official Phrack Song -----------[ KMFDM/Megalomaniac -- Official Phrack Tattoo artist --[ C. Nalla Smith -- Shout Outs and Thank Yous ------[ haskell, mudge, loadammo, nihilis, daveg, -----------------------------------| halflife, snocrash, apk, solar designer, -----------------------------------| kore, alhambra, nihil, sluggo, Datastorm, -----------------------------------| aleph1, drwho, silitek Phrack Magazine V. 8, #53, xx xx, 1998. ISSN 1068-1035 Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved. Nothing may be reproduced in whole or in part without written permission from the editor in chief. Phrack Magazine is made available quarterly to the public, free of charge. Go nuts people. Contact Phrack Magazine ----------------------- Submissions: phrackedit@phrack.com Commentary: loopback@phrack.com Editor in Chief: route@phrack.com Publicist: dangergrl@phrack.com Phrack World News: disorder@phrack.com Submissions to the above email address may be encrypted with the following key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j 0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG /v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU= =1iyt -----END PGP PUBLIC KEY BLOCK----- As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED. Phrack goes out plaintext. You certainly can subscribe in plaintext. phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of the * editors and contributors, truthful and accurate. When possible, all facts * are checked, all code is compiled. However, we are not omniscient (hell, * we don't even get paid). It is entirely possible something contained * within this publication is incorrect in some way. If this is the case, * please drop us some email so that we can correct it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for the * entirely stupid (or illegal) things people may do with the information * contained here-in. Phrack is a compendium of knowledge, wisdom, wit, and * sass. We neither advocate, condone nor participate in any sort of illicit * behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in the * articles of Phrack Magazine are intellectual property of their authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -------------------------[ T A B L E O F C O N T E N T S 1 Introduction Phrack Staff 11K 2 Phrack Loopback Phrack Staff 33K 3 Line Noise various 51K 4 Phrack Prophile on Glyph Phrack Staff 18K 5 An Overview of Internet Routing krnl 50K 6 T/TCP Vulnerabilities route 17K 7 A Stealthy Windows Keylogger markj8 25K 8 Linux Trusted Path Execution redux K. Baranowski 23K 9 Hacking in Forth mudge 15K 10 Interface Promiscuity Obscurity apk 24K 11 Watcher, NIDS for the masses hacklab 32K 12 The Crumbling Tunnel Aleph1 52K 13 Port Scan Detection Tools Solar Designer 25K 14 Phrack World News Disorder 95K 15 extract.c Phrack Staff 11K 482K ----------------------------------------------------------------------------- " The advent of information availability and a rise in the number people for whom the net has always been 'the norm' is producing a class of users who cannot think for themselves. As reliance upon scripted attacks increases, the number of people who personally possess technical knowledge decreases. " ----------------------------------------------------------------------------- ----[ EOF